On Wed, 2021-08-04 at 09:20 +0000, THOBY Simon wrote:
> MD5 is a weak digest algorithm that shouldn't be used for cryptographic
> operation. It hinders the efficiency of a patch set that aims to limit
> the digests allowed for the extended file attribute namely security.ima.
> MD5 is no longer a requirement for IMA, nor should it be used there.
>
> Remove the CRYPTO_MD5 dependency for IMA.
>
> Signed-off-by: Simon Thoby <simon.thoby@xxxxxxxxxx>
> ---
> security/integrity/ima/Kconfig | 1 -
> security/integrity/ima/ima_main.c | 3 ++-
> 2 files changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
> index d0ceada99243..f3a9cc201c8c 100644
> --- a/security/integrity/ima/Kconfig
> +++ b/security/integrity/ima/Kconfig
> @@ -6,7 +6,6 @@ config IMA
> select SECURITYFS
> select CRYPTO
> select CRYPTO_HMAC
> - select CRYPTO_MD5
> select CRYPTO_SHA1
> select CRYPTO_HASH_INFO
> select TCG_TPM if HAS_IOMEM && !UML
> diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
> index 1cba6beb5a60..b70ee0125168 100644
> --- a/security/integrity/ima/ima_main.c
> +++ b/security/integrity/ima/ima_main.c
> @@ -53,7 +53,8 @@ static int __init hash_setup(char *str)
> if (strcmp(template_desc->name, IMA_TEMPLATE_IMA_NAME) == 0) {
> if (strncmp(str, "sha1", 4) == 0) {
> ima_hash_algo = HASH_ALGO_SHA1;
> - } else if (strncmp(str, "md5", 3) == 0) {
> + } else if (IS_ENABLED(CONFIG_CRYPTO_MD5)
> + && strncmp(str, "md5", 3) == 0) {
> ima_hash_algo = HASH_ALGO_MD5;
> } else {
> pr_err("invalid hash algorithm \"%s\" for template \"%s\"",
FYI, with the non "ima" template formats and MD5 is not configured, it
fails with the following messages:
ima: Can not allocate md5 (reason: -2)
ima: Allocating md5 failed, going to use default hash algorithm sha256
thanks,
Mimi
